On Fri, 3 Aug 2001 Valdis.Kletnieksat_private wrote: > Is all the information needed available in the VFS layer, or do we need > to capture metadata at the NFSv4 layer as well, to do it right? Or > should we just make sure to coordinate with the NFSv4 team to ensure that > they keep the info we need around? Not having looked at the NFSv4 protocol or implementation (other than sitting in on a talk at OLS), I don't know. While at the NSA, I previously implemented support for flexible nondiscretionary access controls for NFS (v2 and v3) in the DTOS prototype, a predecessor of SELinux, and I did write up a design for adding such support to the original SELinux prototype a while back. But that was based on the assumption that I could make fairly invasive changes (while keeping backwards compatibility for ordinary NFS clients and servers). NAI Labs/TIS (not me) did an implementation of support for DTE in NFS a while back which wasn't very invasive, and I think others have experimented with DTE NFS implementations that try to be minimal in their invasiveness. We plan on investigating full NFS support for SELinux at some point in the future, but I don't think that LSM has to fully address it in its initial version. -- Stephen D. Smalley, NAI Labs ssmalleyat_private _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Fri Aug 03 2001 - 10:52:52 PDT